Synopsis: This article is about ip over ip tunnel technique
Keywords: ipip
IP over IP tuennelling is an overlay network, it's often used to connect two private IP networks across point to point public Internet.
here is an example of IP over IP:
+-----------------------------------------------------------------------------------------------------------+
| Host Networks |
| +-------------------------------------+ +-------------------------------------------+ |
| | Private Network A | | Private Network B | |
| | (blackhole: 172.16.17.0/24) | | (blackhole: 192.168.199.0/24) | |
| | | | | |
| | 172.16.17.1/24 | | 192.168.199.1/24 | |
| | [tap interface] | | [tap interface] | |
| | 10.1.1.1/24 |10.1.1.2/24 | |
| | + | | + | |
| +-------------------------------------+ +-------------------------------------------+ |
| | | |
| +---------------------------------+ |
| public underlay network |
| |
| Objective: build connectivity for private network A and B. |
+-----------------------------------------------------------------------------------------------------------+
from the topology we are going to connect Private network A and B but they have no direct links attached, the only medium is the so-called
public underlay network.
all the commands are as below:
$sudo modprobe ipip
$sudo ip netns add netA
$sudo ip netns add netB
$sudo ip netns exec netA ip link add dummyA type dummy
$sudo ip netns exec netB ip link add dummyB type dummy
$sudo ip netns exec netA ip link set lo up
$sudo ip netns exec netB ip link set lo up
$sudo ip netns exec netA ip link set dummyA up
$sudo ip netns exec netB ip link set dummyB up
$sudo ip netns exec netA ip addr add 172.16.17.1/24 dev dummyA
$sudo ip netns exec netB ip addr add 192.168.199.1/24 dev dummyB
$sudo ip link add name underlayA type veth peer underlayB
$sudo ip link set dev underlayA netns netA
$sudo ip link set dev underlayB netns netB
$sudo ip netns exec netA ip link set dev underlayA up
$sudo ip netns exec netB ip link set dev underlayB up
$sudo ip netns exec netA ip addr add 10.1.1.1/24 dev underlayA
$sudo ip netns exec netB ip addr add 10.1.1.2/24 dev underlayB
$sudo ip netns exec netA ip link add name ipipA type ipip local 10.1.1.1 remote 10.1.1.2
$sudo ip netns exec netB ip link add name ipipB type ipip local 10.1.1.2 remote 10.1.1.1
$sudo ip netns exec netA ip link set ipipA up
$sudo ip netns exec netB ip link set ipipB up
$sudo ip netns exec netA ip route add 192.168.199.0/24 nexthop dev ipipA
$sudo ip netns exec netB ip route add 172.16.17.0/24 nexthop dev ipipB
Now private network A and B are connected. you can test it via ping or something else.
Note that you don't have to specify any addresses for interfaces ipipA and ipipB, they are just a channel.
since it's an IP channel, there is no overlay arp entry for next hop, next hop is an underlay dev.
finally we can captures to prove our ieda:
$sudo ip netns exec netA tcpdump -i underlayA -n 'ip'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on underlayA, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:59.523519 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [S], seq 3149930231, win 64800, options [mss 1440,sackOK,TS val 3845009178 ecr 0,nop,wscale 7], length 0 (ipip-proto-4)
14:18:59.523575 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [S.], seq 667467579, ack 3149930232, win 64260, options [mss 1440,sackOK,TS val 137618351 ecr 3845009178,nop,wscale 7], length 0 (ipip-proto-4)
14:18:59.523596 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 3845009179 ecr 137618351], length 0 (ipip-proto-4)
14:18:59.523892 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [P.], seq 1:141, ack 1, win 507, options [nop,nop,TS val 3845009179 ecr 137618351], length 140: HTTP: GET / HTTP/1.1 (ipip-proto-4)
14:18:59.523917 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [.], ack 141, win 501, options [nop,nop,TS val 137618352 ecr 3845009179], length 0 (ipip-proto-4)
14:18:59.525566 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [P.], seq 1:155, ack 141, win 501, options [nop,nop,TS val 137618353 ecr 3845009179], length 154: HTTP: HTTP/1.0 200 OK (ipip-proto-4)
14:18:59.525602 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [.], ack 155, win 506, options [nop,nop,TS val 3845009181 ecr 137618353], length 0 (ipip-proto-4)
14:18:59.525645 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [P.], seq 155:686, ack 141, win 501, options [nop,nop,TS val 137618354 ecr 3845009181], length 531: HTTP (ipip-proto-4)
14:18:59.525650 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [.], ack 686, win 502, options [nop,nop,TS val 3845009181 ecr 137618354], length 0 (ipip-proto-4)
14:18:59.525697 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [F.], seq 686, ack 141, win 501, options [nop,nop,TS val 137618354 ecr 3845009181], length 0 (ipip-proto-4)
14:18:59.526495 IP 10.1.1.1 > 10.1.1.2: IP 172.16.17.1.39820 > 192.168.199.1.80: Flags [F.], seq 141, ack 687, win 502, options [nop,nop,TS val 3845009181 ecr 137618354], length 0 (ipip-proto-4)
14:18:59.526537 IP 10.1.1.2 > 10.1.1.1: IP 192.168.199.1.80 > 172.16.17.1.39820: Flags [.], ack 142, win 501, options [nop,nop,TS val 137618354 ecr 3845009181], length 0 (ipip-proto-4)
DONE!
REF: https://tools.ietf.org/html/rfc2003